Help appreciated with the following problem.

As per the diagram a subscribers CPE (RB433) has four interfaces, viz:

1. Ethernet to subscriber's PC
2. A hotspot for guests
3. An AP for several neighbours who don't have line of sight to the local AP
4. Link to the local AP and internet gateway.

I needed to keep data on 1 and 2 separate from 3 for accounting.

The neighbours have individual PPP tunnels to the gateway. I had assumed that a PPP tunnel starting at this CPE for default traffic would only carry Internet connections initiated by the Hotspot and/or the subscriber's PC. This seemed to be the case, but with the tunnel connected the subscriber's PC lost the ability to browse though connections would be made, and the hotspot became erratic. Disconnecting the tunnel solved all problems.

It is as if the tcp packets returning down the tunnel arrived at the CPE but then didn't know if they should be routed to the Hotspot (10.5.1.0/24) or the ethernet (192.168.88.0/24), although the tunnel is masqueraded.

Any insights, solutions, alternatives greatly appreciated

Can you post a copy of your config to give us a clearer picture of the details of this unit's setup?

Can you post a copy of your config to give us a clearer picture of the details of this unit's setup?

How do I do that?

/export file=100406-config_dump.rsc

then copy it off by dragging it out of the "files" windows in Winbox to your desktop, you should then be able to upload it to the forum.


Regards,




Andrew

ALL of it?

OK. (Some of the names have been changed to protect the innocent.)

nb. The L2TP client is currently disabled. All firewall entries are as entered by Hotspot set-up + masquerading the Jan and l2tp-out interfaces


# apr/06/2010 16:18:53 by RouterOS 3.20
# software id = TEVM-LTT
#
/interface ethernet
set 0 arp=enabled auto-negotiation=yes comment="" disabled=no full-duplex=yes \
mac-address=00:0C:42:28:45:A9 mtu=1500 name=ether1 speed=100Mbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=yes full-duplex=yes mac-address=00:0C:42:28:45:AA \
master-port=none mtu=1500 name=ether2 speed=100Mbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\
"" disabled=yes full-duplex=yes mac-address=00:0C:42:28:45:AB \
master-port=none mtu=1500 name=ether3 speed=100Mbps
/interface wireless security-profiles
set default authentication-types="" eap-methods=passthrough group-ciphers="" \
group-key-update=5m interim-update=0s mode=none name=default \
radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=\
none tls-mode=no-certificates unicast-ciphers="" wpa-pre-shared-key="" \
wpa2-pre-shared-key=""
add authentication-types=wpa2-psk group-ciphers=aes-ccm group-key-update=5m \
interim-update=0s mode=dynamic-keys name="name -WPA2" \
radius-eap-accounting=no radius-mac-accounting=no \
radius-mac-authentication=no radius-mac-caching=disabled \
radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username \
static-algo-0=none static-algo-1=none static-algo-2=none static-algo-3=\
none static-key-0="" static-key-1="" static-key-2="" static-key-3="" \
static-sta-private-algo=none static-sta-private-key="" \
static-transmit-key=key-0 supplicant-identity="" tls-certificate=none \
tls-mode=no-certificates unicast-ciphers=aes-ccm wpa-pre-shared-key="" \
wpa2-pre-shared-key=\
nnn
/interface wireless
set 0 ack-timeout=dynamic adaptive-noise-immunity=client-mode \
allow-sharedkey=no antenna-gain=8 antenna-mode=ant-a area="" arp=enabled \
band=2.4ghz-b/g basic-rates-a/g=6Mbps basic-rates-b=1Mbps burst-time=\
disabled comment="" compression=no country="new zealand" \
default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=\
0 default-forwarding=yes dfs-mode=none disable-running-check=no disabled=\
no disconnect-timeout=3s frame-lifetime=0 frequency=2412 frequency-mode=\
regulatory-domain hide-ssid=no hw-retries=4 mac-address=00:02:6F:4B:27:40 \
max-station-count=2007 mode=ap-bridge mtu=1500 name=Hotspot \
noise-floor-threshold=default on-fail-retry-time=100ms \
periodic-calibration=default periodic-calibration-interval=60 \
preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=Hotspot \
rate-set=default scan-list=default security-profile=default ssid=\
"Guests" station-bridge-clone-mac=00:00:00:00:00:00 \
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps tx-power-mode=default \
update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=\
none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
wmm-support=disabled
set 1 ack-timeout=dynamic adaptive-noise-immunity=client-mode \
allow-sharedkey=no antenna-gain=15 antenna-mode=ant-a area="" arp=enabled \
band=2.4ghz-onlyg basic-rates-a/g=6Mbps basic-rates-b=1Mbps burst-time=\
disabled comment="" compression=no country="new zealand" \
default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=\
0 default-forwarding=yes dfs-mode=none disable-running-check=no disabled=\
no disconnect-timeout=5s frame-lifetime=0 frequency=2472 frequency-mode=\
regulatory-domain hide-ssid=no hw-retries=4 mac-address=00:02:6F:4B:27:4D \
max-station-count=2007 mode=station mtu=1500 name=Jan \
noise-floor-threshold=default on-fail-retry-time=100ms \
periodic-calibration=default periodic-calibration-interval=60 \
preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=\
"name" rate-set=configured scan-list=default security-profile=\
"name -WPA2" ssid=name station-bridge-clone-mac=00:00:00:00:00:00 \
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
supported-rates-b=1Mbps,2Mbps,5.5Mbps tx-power-mode=default \
update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=\
none wds-default-cost=100 wds-ignore-ssid=no wds-mode=disabled \
wmm-support=disabled
set 2 ack-timeout=dynamic adaptive-noise-immunity=ap-and-client-mode \
allow-sharedkey=no antenna-gain=0 antenna-mode=ant-a area="" arp=enabled \
band=2.4ghz-b basic-rates-a/g=6Mbps basic-rates-b=1Mbps burst-time=\
disabled comment="" compression=no country="new zealand" \
default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=\
0 default-forwarding=yes dfs-mode=none disable-running-check=no disabled=\
no disconnect-timeout=5s frame-lifetime=0 frequency=2442 frequency-mode=\
regulatory-domain hide-ssid=no hw-retries=4 mac-address=00:02:6F:52:DB:CD \
max-station-count=2007 mode=ap-bridge mtu=1500 name="locals" \
noise-floor-threshold=default on-fail-retry-time=100ms \
periodic-calibration=default periodic-calibration-interval=60 \
preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=Jan2 \
rate-set=configured scan-list=default security-profile="name -WPA2" \
ssid="name" station-bridge-clone-mac=00:00:00:00:00:00 \
supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps \
supported-rates-b=1Mbps,2Mbps,5.5Mbps tx-power=17 tx-power-mode=\
card-rates update-stats-interval=disabled wds-cost-range=50-150 \
wds-default-bridge=none wds-default-cost=100 wds-ignore-ssid=no wds-mode=\
disabled wmm-support=disabled
/interface wireless manual-tx-power-table
set Hotspot comment="" manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:1\
7,6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mb\
ps:17,HT20-1:0,HT20-2:0,HT20-3:0,HT20-4:0,HT20-5:0,HT20-6:0,HT20-7:0,HT20-\
8:0,HT40-1:0,HT40-2:0,HT40-3:0,HT40-4:0,HT40-5:0,HT40-6:0,HT40-7:0,HT40-8:\
0"
set Jan comment="" manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6M\
bps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:1\
7,HT20-1:0,HT20-2:0,HT20-3:0,HT20-4:0,HT20-5:0,HT20-6:0,HT20-7:0,HT20-8:0,\
HT40-1:0,HT40-2:0,HT40-3:0,HT40-4:0,HT40-5:0,HT40-6:0,HT40-7:0,HT40-8:0"
set "locals" comment="" manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:1\
7,11Mbps:17,6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mb\
ps:17,54Mbps:17,HT20-1:0,HT20-2:0,HT20-3:0,HT20-4:0,HT20-5:0,HT20-6:0,HT20\
-7:0,HT20-8:0,HT40-1:0,HT40-2:0,HT40-3:0,HT40-4:0,HT40-5:0,HT40-6:0,HT40-7\
:0,HT40-8:0"
/interface wireless nstreme
set Hotspot comment="" disable-csma=no enable-nstreme=no enable-polling=no \
framer-limit=3200 framer-policy=none
set Jan comment="" disable-csma=no enable-nstreme=no enable-polling=yes \
framer-limit=3200 framer-policy=none
set "locals" comment="" disable-csma=no enable-nstreme=no \
enable-polling=yes framer-limit=3200 framer-policy=none
/ip hotspot profile
set default dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot \
http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no \
use-radius=no
add dns-name=guests.name.local hotspot-address=10.5.50.1 html-directory=\
hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=\
cookie,http-chap name=hsprof2 rate-limit="" smtp-server=58.28.4.122 \
split-user-domain=no use-radius=no
/ip ipsec proposal
set default auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m \
name=default pfs-group=modp1024
/ip pool
add name=hs-pool-4 ranges=10.5.50.20-10.5.50.99
add name=etherpool ranges=192.168.10.20-192.168.10.29
/ip dhcp-server
add address-pool=etherpool authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=ether1 lease-time=3d name=server1
add address-pool=hs-pool-4 authoritative=after-2sec-delay bootp-support=\
static disabled=no interface=Hotspot lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hs-pool-4 addresses-per-mac=2 disabled=no idle-timeout=5m \
interface=Hotspot keepalive-timeout=none name=hotspot1 profile=hsprof2
/ip hotspot user profile
set default address-pool=hs-pool-4 advertise=no keepalive-timeout=2m name=\
default open-status-page=http-login shared-users=1 status-autorefresh=1m \
transparent-proxy=yes
/port
set 0 baud-rate=auto data-bits=8 flow-control=none name=serial0 parity=none \
stop-bits=1
/ppp profile
set default change-tcp-mss=yes comment="" local-address=10.10.10.1 name=\
default only-one=default use-compression=default use-encryption=default \
use-vj-compression=default
add change-tcp-mss=default comment="" local-address=10.101.5.1 name=locals \
only-one=default use-compression=default use-encryption=default \
use-vj-compression=default
add change-tcp-mss=default comment="" dns-server=172.16.3.1 name=L2TP \
only-one=default use-compression=default use-encryption=default \
use-vj-compression=default
set default-encryption change-tcp-mss=yes comment="" name=default-encryption \
only-one=default use-compression=default use-encryption=yes \
use-vj-compression=default
/interface l2tp-client
add add-default-route=yes allow=pap,chap,mschap1,mschap2 comment="" \
connect-to=172.16.3.1 disabled=yes max-mru=1460 max-mtu=1460 mrru=\
disabled name=l2tp-out1 password=Jan profile=L2TP user=Trevor
/queue type
set default kind=pfifo name=default pfifo-limit=50
set ethernet-default kind=pfifo name=ethernet-default pfifo-limit=50
set wireless-default kind=sfq name=wireless-default sfq-allot=1514 \
sfq-perturb=5
set synchronous-default kind=red name=synchronous-default red-avg-packet=1000 \
red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set hotspot-default kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=\
5
set default-small kind=pfifo name=default-small pfifo-limit=10
/snmp
set contact="" enabled=no engine-boots=0 engine-id="" location="" \
time-window=15 trap-sink=0.0.0.0 trap-version=1
/snmp community
set public address=0.0.0.0/0 authentication-password="" \
authentication-protocol=MD5 encryption-password="" encryption-protocol=\
DES name=public read-access=yes security=none write-access=no
/system logging action
set memory memory-lines=100 memory-stop-on-full=no name=memory target=memory
set disk disk-lines=100 disk-stop-on-full=no name=disk target=disk
set echo name=echo remember=yes target=echo
set remote name=remote remote=10.0.3.2:514 target=remote
/system routerboard settings
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
boot-protocol=bootp cpu-frequency=300MHz enable-jumper-reset=yes \
enter-setup-on=any-key
set baud-rate=115200 boot-delay=2s boot-device=nand-if-fail-then-ethernet \
boot-protocol=bootp cpu-frequency=300MHz enable-jumper-reset=yes \
enter-setup-on=any-key
/user group
add name=read policy="local,telnet,ssh,reboot,read,test,winbox,password,web,sn\
iff,!ftp,!write,!policy"
add name=write policy="local,telnet,ssh,reboot,read,write,test,winbox,password\
,web,sniff,!ftp,!policy"
add name=full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbo\
x,password,web,sniff"
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=\
no
/interface ethernet mirror
set mirror-port=none source-port=none
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=\
default-encryption enabled=no max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=\
default enabled=no keepalive-timeout=60 mac-address=FE:29:50:4D:CA:56 \
max-mtu=1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pppoe-server server
add authentication=pap default-profile=default disabled=yes interface=ether1 \
keepalive-timeout=10 max-mru=1480 max-mtu=1480 max-sessions=0 mrru=\
disabled one-session-per-host=yes service-name=service1
add authentication=pap,chap,mschap1,mschap2 default-profile=locals disabled=\
yes interface="locals" keepalive-timeout=10 max-mru=1480 \
max-mtu=1480 max-sessions=0 mrru=disabled one-session-per-host=yes \
service-name=service2
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption \
enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface wireless access-list
add ap-tx-limit=0 authentication=yes client-tx-limit=0 comment="" disabled=no \
forwarding=yes interface="locals" mac-address=00:02:6F:52:DB:C8 \
private-algo=none private-key="" private-pre-shared-key="" signal-range=\
-120.120
add ap-tx-limit=0 authentication=yes client-tx-limit=0 comment="" disabled=no \
forwarding=yes interface="locals" mac-address=00:02:6F:55:14:E0 \
private-algo=none private-key="" private-pre-shared-key="" signal-range=\
-120.120
add ap-tx-limit=0 authentication=yes client-tx-limit=0 comment="" disabled=no \
forwarding=yes interface=Hotspot mac-address=00:02:6F:55:14:BE \
private-algo=none private-key="" private-pre-shared-key="" signal-range=\
-120.120
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=\
00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 \
frames-per-second=25 receive-all=no ssid-all=no
/interface wireless connect-list
add area-prefix="" comment="" connect=yes disabled=no interface=Jan \
mac-address=00:0C:42:1F:39:F7 security-profile="name -WPA2" \
signal-range=-120.120 ssid=name
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 \
multiple-channels=no only-headers=no receive-errors=no streaming-enabled=\
no streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=10.1.70.75/24 broadcast=10.1.70.255 comment="" disabled=no \
interface=Jan network=10.1.70.0
add address=192.168.10.1/24 broadcast=192.168.10.255 comment="" disabled=no \
interface=ether1 network=192.168.10.0
add address=10.1.5.1/24 broadcast=10.1.5.255 comment="" disabled=no \
interface="locals" network=10.1.5.0
add address=10.5.50.1/24 broadcast=10.5.50.255 comment="hotspot network" \
disabled=no interface=Hotspot network=10.5.50.0
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=10.5.50.0/24 comment="hotspot network" dns-server=10.5.50.1 \
gateway=10.5.50.1 netmask=24
add address=192.168.10.0/24 comment="" dns-server=192.168.10.1 gateway=\
192.168.10.1 ntp-server=172.16.3.1
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 primary-dns=172.16.3.1 secondary-dns=\
202.180.64.10
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s \
tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="" disabled=no out-interface=Jan
add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
l2tp-out1
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=10.1.70.75 \
dst-port=3389 in-interface=Jan protocol=udp to-addresses=192.168.10.10 \
to-ports=3389
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
disabled=no src-address=10.5.50.0/24
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
/ip hotspot service-port
set ftp disabled=no ports=21
/ip hotspot user
add comment="" disabled=no name=admin password="xxx" profile=default server=hotspot1
/ip neighbor discovery
set ether1 discover=no
set ether2 discover=no
set ether3 discover=no
set Hotspot discover=no
set Jan discover=no
set "locals" discover=no
set l2tp-out1 discover=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=no max-cache-size=unlimited \
max-client-connections=600 max-fresh-time=3d max-server-connections=600 \
parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=\
no src-address=0.0.0.0
/ip route
add comment="" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=10.1.70.1 \
scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=10.17.0.0/16 gateway=\
10.1.70.1 scope=30 target-scope=10
add comment="" disabled=no distance=1 dst-address=172.16.3.1/32 gateway=\
10.1.70.1 scope=30 target-scope=10
/ip service
set telnet address=0.0.0.0/0 disabled=no port=23
set ftp address=0.0.0.0/0 disabled=no port=21
set www address=0.0.0.0/0 disabled=no port=80
set ssh address=0.0.0.0/0 disabled=no port=22
set www-ssl address=0.0.0.0/0 certificate=none disabled=yes port=443
set api address=0.0.0.0/0 disabled=yes port=8728
set winbox address=0.0.0.0/0 disabled=no port=8291
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no \
inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=yes show-dummy-rule=yes
/ppp aaa
set accounting=yes interim-update=10m use-radius=no
/queue interface
set ether1 queue=ethernet-default
set ether2 queue=ethernet-default
set ether3 queue=ethernet-default
set Hotspot queue=wireless-default
set Jan queue=wireless-default
set "locals" queue=wireless-default
set l2tp-out1 queue=default
/radius
add accounting-backup=no accounting-port=1813 address=10.1.70.1 \
authentication-port=1812 called-id="" comment="" disabled=no domain="" \
realm="" secret=1017075 service=ppp,login timeout=2s
add accounting-backup=yes accounting-port=1813 address=10.0.2.4 \
authentication-port=1812 called-id="" comment="" disabled=yes domain="" \
realm="" secret=J5Ubnm5F service=ppp timeout=300ms
add accounting-backup=no accounting-port=1813 address=172.10.0.10 \
authentication-port=1812 called-id="" comment="" disabled=yes domain="" \
realm="" secret=1017075 service=hotspot timeout=300ms
/radius incoming
set accept=no port=3799
/store
add comment="" disabled=no disk=system name=user-manager1 type=user-manager
add comment="" disabled=no disk=system name=web-proxy1 type=web-proxy
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start=\
"jan/01/1970 00:00:00" time-zone=+00:00
/system console
add disabled=no port=serial0 term=vt102
/system health
set fan-mode=auto use-fan=main
/system identity
set name="name"
/system logging
add action=memory disabled=no prefix="" topics=info
add action=memory disabled=no prefix="" topics=error
add action=memory disabled=no prefix="" topics=warning
add action=echo disabled=no prefix="" topics=critical
add action=memory disabled=no prefix="" topics=wireless,debug
add action=remote disabled=no prefix="name" topics=wireless,debug
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=10.1.70.1 secondary-ntp=0.0.0.0
/system ntp server
set broadcast=no enabled=no manycast=yes multicast=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=\
0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=\
none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=10
/tool e-mail
set from=<> server=0.0.0.0
/tool graphing
set store-every=5min
/tool mac-server
add disabled=no interface=all
/tool mac-server ping
set enabled=yes
/tool sniffer
set file-limit=10 file-name="" filter-address1=0.0.0.0/0:0-65535 \
filter-address2=0.0.0.0/0:0-65535 filter-protocol=ip-only filter-stream=\
yes interface=all memory-limit=10 only-headers=no streaming-enabled=no \
streaming-server=0.0.0.0
/tool user-manager customer
add comment="" disabled=no login=admin parent=admin password="" \
paypal-accept-pending=no paypal-allowed=no paypal-secure-response=no \
permissions=owner signup-allowed=no subscriber=admin time-zone=+00:00
/user aaa
set accounting=yes default-group=read interim-update=0s use-radius=no

Ok, I'm a little confused, so let me restate this to make sure I understand the problem.

On this repeater unit, you have a backhaul client radio, an AP for near-by customers, a hotspot for laptops, and an ethernet connection to an on-site customer. When your near-by customers start using a PPP connection, both the hotspot and local customer has issues, right?

Does the local ethernet customer have a PPP connection? Is it set on his computer?

What's the L2TP client for? Is it for the ethernet customer? And are you sure you want that to set the default route? Do you want all traffic coming into the router (including from the near-by customer and the hotspot users) to go through that link?

You said you're trying to keep this seperate for accounting purposes. Can you give us some more detail about what you're trying to track? That'll help us figure out if there's another way you might be able to solve this same problem.

Ok, I'm a little confused, so let me restate this to make sure I understand the problem.

On this repeater unit, you have a backhaul client radio, an AP for near-by customers, a hotspot for laptops, and an ethernet connection to an on-site customer. When your near-by customers start using a PPP connection, both the hotspot and local customer has issues, right?

Almost. The problem isn't (or doesn't seem to be) with the PPP connections of the near-by customers. The problem started when I set up PPP FROM THIS ROUTER to the server at the gateway for the on-site customer, who utilises the ethernet and Hotspot connections. Before that he simply used the default route through the backhaul but we needed to keep an account of his usage (ether + hotspot).

Does the local ethernet customer have a PPP connection? Is it set on his computer?

No. His quota is for ether + hotspot combined. A PPP connection from his computer (via ethernet) wouldn't include hotspot use.

What's the L2TP client for? Is it for the ethernet customer? And are you sure you want that to set the default route? Do you want all traffic coming into the router (including from the near-by customer and the hotspot users) to go through that link?

My (erroneous?) thinking was that as the near-by customers were already tunnelling through this router via a route set up to the L2TP server, setting the default route to use an L2TP tunnel starting from this router would only catch traffic generated by the ethernet customer + hotspot users, which would be accounted by the L2TP server at the other end.

You said you're trying to keep this seperate for accounting purposes. Can you give us some more detail about what you're trying to track? That'll help us figure out if there's another way you might be able to solve this same problem.

OK. There are four subscribers each of whom has his own monthly data quota we need to track. Three are neighbours who can only access the network via the fourth. So they have individual L2TP tunnels from their CPEs through this router to the server at the gateway which carries their internet (default) traffic and is accounted. The fourth, who has agreed to relay the other three via his router, has an ethernet connection to it and a wireless interface on it running a hotspot for the use of guests. But he too buys a monthly data quota we need to keep track of. So I need a way of routing the traffic generated to the internet from his ethernet AND his hotspot into an accountable tunnel which is separate from the three near-by users.

My (erroneous?) thinking was that as the near-by customers were already tunnelling through this router via a route set up to the L2TP server, setting the default route to use an L2TP tunnel starting from this router would only catch traffic generated by the ethernet customer + hotspot users, which would be accounted by the L2TP server at the other end.

Not quite. The traffic from the PPP sessions are being encrypted through this router. However, when you set a default route on a router, all traffic goes through it. That means the PPP connections themselves are (probably, assuming their L2TP server is an IP address not in the same subnet as one of the interfaces on this relay router) getting to their server through this router's L2TP default route. That would explain why you're seeing the problem's you are having. What you really want to have happen is to route only the local ethernet's traffic through that L2TP tunnel.

OK. There are four subscribers each of whom has his own monthly data quota we need to track. Three are neighbours who can only access the network via the fourth. So they have individual L2TP tunnels from their CPEs through this router to the server at the gateway which carries their internet (default) traffic and is accounted. The fourth, who has agreed to relay the other three via his router, has an ethernet connection to it and a wireless interface on it running a hotspot for the use of guests. But he too buys a monthly data quota we need to keep track of. So I need a way of routing the traffic generated to the internet from his ethernet AND his hotspot into an accountable tunnel which is separate from the three near-by users.

Remove the default gateway setting on the L2TP client, so that the default gateway stays what it's currently set at. You'll then need to add a rule to make sure the traffic coming from the ethernet port is routed through the L2TP tunnel. One way to do this would be a mangle rule along with a marked route. Something like this:

My (erroneous?) thinking was that as the near-by customers were already tunnelling through this router via a route set up to the L2TP server, setting the default route to use an L2TP tunnel starting from this router would only catch traffic generated by the ethernet customer + hotspot users, which would be accounted by the L2TP server at the other end.

Not quite. The traffic from the PPP sessions are being encrypted through this router. However, when you set a default route on a router, all traffic goes through it. That means the PPP connections themselves are (probably, assuming their L2TP server is an IP address not in the same subnet as one of the interfaces on this relay router) getting to their server through this router's L2TP default route. That would explain why you're seeing the problem's you are having. What you really want to have happen is to route only the local ethernet's traffic through that L2TP tunnel.

This doesn't seem to be right. I don't know if PPP packets are addressed to the PPP server (172.16.4.1 in this case) or the router hosting the server (172.16.3.1). However I had a route in the table for the latter and routed only default traffic into the tunnel when it was running, and it was clear from monitoring the interfaces that no traffic from the neighbour's PPP connections was being routed through the tunnel - and at the PPP server end there was traffic monitored on the neighbour's PPP interfaces not on this CPE's PPP interface.

OK. There are four subscribers each of whom has his own monthly data quota we need to track. Three are neighbours who can only access the network via the fourth. So they have individual L2TP tunnels from their CPEs through this router to the server at the gateway which carries their internet (default) traffic and is accounted. The fourth, who has agreed to relay the other three via his router, has an ethernet connection to it and a wireless interface on it running a hotspot for the use of guests. But he too buys a monthly data quota we need to keep track of. So I need a way of routing the traffic generated to the internet from his ethernet AND his hotspot into an accountable tunnel which is separate from the three near-by users.

Remove the default gateway setting on the L2TP client, so that the default gateway stays what it's currently set at. You'll then need to add a rule to make sure the traffic coming from the ethernet port is routed through the L2TP tunnel. One way to do this would be a mangle rule along with a marked route. Something like this:

Code: Select all

/ip firewall mangle
add action=mark-routing chain=prerouting comment="" disabled=no \
    new-routing-mark=ether1-to-l2tp passthrough=yes src-address=\
    192.168.10.0/24
/ip route
add disabled=no dst-address=0.0.0.0/0 gateway=l2tp-out1 \
    routing-mark=ether1-to-l2tp

It's not just ethernet traffic which has to be routed through the tunnel - it's traffic on the hotspot interface also.

The problem appears to be that with just one interface active the setup works - default traffic coming off it gets routed through the tunnel while non-default traffic, which includes the neighbour's PPP traffic, by-passes it. However when both the ethernet and the hotspot interfaces are active it's as though the router doesn't know which way to route return traffic emerging from the tunnel - it doesn't know if it originated at the ethernet or the hotspot interface.

It seems to me that the answer is simple, which is what makes me suspicious as anything connected to RouterOS is usually a riddle wrapped in a mystery in an enigma.

If I create a PPP tunnel from the CPE to the gateway with the default route via the tunnel as usual, anything internet-bound from the ether or the hotspot interface will be routed into the tunnel. However anything arriving from the local neighbours inside their tunnels won't need a default route as it will be addressed to the PPP server host- so as long as there is a static route to the PPP server's host the only packets using the tunnel from the CPE will be the traffic I need to account, from the ether and the hotspot. So there shouldn't be any need for route-marking.

If the tunnels is source-natted it should record the source address of the packets entering the tunnel and route the return packets to their original source, ether or hotspot, shouldn't it?

I'll try it an see.

IT DOESN'T WORK.

Ping works and traceroute works but when the PC at the start of the ethernet link tries to set up a tcp connection it hangs, and from watching the interface traffic it seems to me that replies are reaching the router via the PPP tunnel but then being lost, as through the router doesn't know where to send them.

It's as though src-nat isn't doing its job in tracking the originating address of packets being sent over the tunnel.

Could the problem lie somehow with the hotspot configuration? In setting it up I don't interfere with the firewall rules that are added. Could they be confusing things?

Damned if I can see how, but there's something unexpected going on.